Symantec Security Response Newsletter

June 2003

Best
viewed at 1024x768 resolution

Bugbear
Makes a Comeback!

Bugbear made a comeback
this month in the form of W32.Bugbear.b@mm. This variant has some
significant differences to the original version. Of most concern
is the key logging and data export. Of course users wouldn't be
infected if their systems were patched up to date. It's the same
problem, an old vulnerability, first discovered in March 2001, still
giving viruses and worms like Bugbear a way onto your PC.

We are late publishing
the June edition, I've been busy with the next version of Symantec's
Internet Threat Report, due out in September, analysing the Newsletter
survey results and working on the new HTML format.

In response to the survey
conducted on this newsletter we have added a couple of new sections,
changed a few sections and taken note of your comments. Later editions
will be further enhanced but in this edition you'll find a calendar
of selected security events and IT Security news links that may
be of interest.

One of the more controversial
additions are the 'Symantec Solution' boxes embedded in the articles.
These are a compromise, we didn't want to carry advertising but
many subscribers want to know what products we have to combat security
issues, so these boxes are, I think, a reasonable way of covering
these issues.

AVAR (Association of anti Virus Asia
Researchers) have just issued their call for papers for the conference
that will be held in Sydney, Australia later this year. As an AVAR
VP I'm proud to be the conference chair on behalf of AVAR for this
year. Details of the event are in the calendar.

I've recently had the
pleasure of working with Syngress to write the Forward to a new
book; Configuring Symantec AntiVirus Corporate Edition (ISBN: 1-931836-81-7).
You can get a copy from Amazon here,
and no I won't make any money from promoting this link. :)

- A variant of W32.Bugbear@mm .
- A mass-mailing worm that also spreads through network shares.
- Polymorphic and also infects a select list of executable files.
- Possesses keystroke-logging and Backdoor capabilities.
- Attempts to terminate the processes of various antivirus and firewall
programs.

In addition, the worm contains routines that specifically affect
financial institutions. This functionality will cause the worm to
send sensitive data to one of ten hard-coded public Internet e-mail
addresses

The information sent includes
cached passwords and key-logging data.

Because the worm does not properly handle the network resource types,
it may flood shared printer resources, which causes them to print
garbage or disrupt their normal functionality.

Fu is a kernel rootkit
created for Microsoft Windows NT4, Microsoft Windows 2000, and Microsoft
Windows XP. By directly accessing Windows kernel data structures,
Fu creates an effective avenue of clandestine access, which attackers
may use to conceal their presence and perform operations with elevated
privileges on a compromised system.

Manifesting itself in the form of a device
driver, Fu is especially dangerous because it modifies the behaviour
of the underlying operating system at the lowest possible level.
Once deployed, operations performed via this utility may be extremely
difficult to detect.

Spybot version 3 AnalysisSpybot, also known as Milkit, is an open source trojan that
contains several mechanisms of propagation. Spybot can spread using
file sharing applications and vulnerabilities in other trojans as
propagation vectors. Spybot will attempt to take control of systems
that were previously compromised and are running the Sub-Seven or
Kuang2 trojan. An infected system will connect to an Internet Relay
Chat (IRC) channel and wait for the attacker to issue instructions.
Once a system has been infected, that attacker will have complete
control of the system via IRC.

An attacker can modify the Spybot source code to create a trojan
that will meet the attackers needs. The customizable nature of Spybot
can result in dynamic behaviour and unique binaries, which can make
detection and removal a complex task.

W32.Illpatient IRC-based RAT AnalysisW32.Illpatient is an IRC-based Remote Access Tool (RAT),
written in C, which runs on the Win32 family of operating systems.
It was obtained from a compromised Symantec DeepSight Honeypot and
was found compressed with UPX.

This utility was loaded onto a compromised
Symantec DeepSight Honeypot, with what may have been a scripted
installation routine, as this utility does not appear to be capable
of propagating automatically.

W32.Illpatient receives commands from its
owner through Internet Relay Chat (IRC). During startup, it connects
to a hard-coded IRC server, and joins a private, keyed channel.
Although W32.Illpatient contains several features, including a Denial
of Service (DoS) routine, testing has indicated that it is not very
stable.

FastTrack P2P Supernode Packet
Handler has been reported prone to a buffer overflow vulnerability.
The issue presents itself in the FastTrack Supernode packet handler.
The handler does not perform sufficient bounds checking on supernode
entries received before they are copied into a reserved buffer in
internal memory.

An
attacker may exploit this vulnerability to trigger a denial of service
condition or ultimately have arbitrary attacker supplied code executed.
Code execution would occur in the context of the user running an
application that incorporates the vulnerable FastTrack P2P Packet
Handler.

Running the server in a
closed or restricted environment may limit the consequences of successful
exploitation. Execute server processes with the least privileges
required, and place processes in a restrictive environment.

Currently we are not aware of any vendor-supplied patches for this
issue. If you feel we are in error or are aware of more recent information,
please mail us at: vuldb@securityfocus.com .
PMachine PMachine 2.2.1: